ETQ Reliance CG Reflected Cross-Site Scripting Vulnerability in SQLConverterServlet Component
Vulnerability
A reflected cross-site scripting vulnerability has been identified in the ETQ Reliance CG (legacy) platform, specifically within the SQLConverterServlet component. This vulnerability allows for the execution of unauthorized scripts in the context of the user, requiring user interaction to exploit. The issue arises from the servlet being unnecessarily exposed to authenticated users, and it has been addressed in the ETQ Reliance release SE.2025.1.
Impact
Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute scripts in the context of the user.
Reproduction
To reproduce this vulnerability, an authenticated user must click on a crafted link that includes a malicious payload targeting the SQLConverterServlet. The servlet can be accessed directly, and the vulnerability can be triggered by sending a request with the MySQLStm parameter containing the XSS payload.
Remediation
The vulnerability has been fixed in the ETQ Reliance release SE.2025.1, which is available to on-premises customers.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.